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THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 . 1 36(a). In no event, however, may a reply be timely filed 
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- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
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earned patent term adjustment. See 37 CFR 1.704(b). 
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closed in accordance with the practice under Ex parte Quay/e, 1935 CD. 1 1 , 453 O.G. 213. 
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6) 13 Claim(s) 7J3 is/are rejected. 
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DETAILED ACTION 
Claim Rejections - 35 USC §103 

Claims 1, 6, and 8-10 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Guski et al (5,592,553) in view of Abadi et al (6,141,760). 

In reference to claims 1 and 8-10, Guski discloses a system and method for generating a 
one-time password that changes pseudorandomly with each request for authentication. The 
method includes receiving a program-specific identifier (H(E)) from said program (E). The 
program specific identifier disclosed by Guski is the host application identifier (column 7 lines 
28-32). Guski further discloses sending said program-password-specific identifier (F(H(E),p)) to 
said program (E), said program-password-specific identifier (F(H(E),p)) being processable by 
said program (E). The password (214) generated at the Security server (208) is sent to the client 
(202) where it is processed by creating the signon request (216) using specific ID. 

Guski does not expressly disclose receiving said password (p); generating from at least 
said program-specific identifier (H(E)) and said received password (p) a program-password- 
specific identifier (F(H(E),p)). 

However Abadi discloses creating passwords for password controlled access points 
(abstract). The method includes the user sending a master password (column 2 lines 64-65). The 
system disclosed by Abadi generates the passwords using a hard to invert function F to combine 
the user name, service name, and master password (column 3 lines 26-33). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to send a password from the client to the server of Guski to create the password as 
disclosed by Abadi. One of ordinary skill in the art would have been motivated to do this 
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because users have to remember a large number of different passwords and creating passwords 
using a computerized method would reduce the number of passwords a user must remember and 
create more random, and therefore secure, passwords. 

In reference to claim 6, Guski does not discloses a system wherein the program- 
password-specific identifier (F(H(E),p,s)) is generated from the program-specific identifier 
(H(E)), the received password (p), and an additional value (s), said additional value (s) 
characterizing a device (2) where the program-password-specific identifier (F(H(E),p,s)) is 
generated. 

However Abadi discloses a system wherein the program-password-specific identifier 
(F(H(E),p,s)) is generated from the program-specific identifier (H(E)), the received password (p), 
and an additional value (s), said additional value (s) characterizing a device (2) where the 
program-password-specific identifier (F(H(E), p ,s)) is generated (Fig. 2). The additional value 
is the user name. The user name is characterizes the device because the device is used or owned 
by the user. 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to send a password from the client to the server of Guski to create the password as 
disclosed by Abadi. One of ordinary skill in the art would have been motivated to do this 
because users have to remember a large number of different passwords and creating passwords 
using a computerized method would reduce the number of passwords a user must remember and 
create more random, and therefore secure, passwords. 
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Claim 2, 7, and 11 are rejected under 35 U.S.C. 103(a) as being unpatentable over Guski 
and Abadi as applied to claim 1 above, and further in view of Schneier. 

In reference to claims 2 and 11, Guski and Abadi do not disclose the program specific 
identifier derived by applying a first cryptographic function preferably a one-way hash function. 
Although Abadi discloses the second cryptographic function being a hard to invert function, 
where a one-way hash function is a hard to invert function, neither Guski not Abadi expressly 
disclose the second function being a one-way hash function, such as MD5 or SHA-1. 

Schneier discloses the MD5 and SHA as hash functions that are used to create a hash 
value such that it is hard to find another pre-image message that produces the same hash value 
(page 429 paragraph 2); and therefore performs the function of H(E) of creating an identifier. 
Schneier further discloses the on-way hash function used to for security because the hash value is 
easy to compute, but difficult to reverse (page 429 paragraph 2). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use the hash functions as disclosed by Schneier to create the identifier and a 
secure password in the system of Guski. One of ordinary skill in the art would have been 
motivated to do this because hash function prevent the substitution of a different pre-image 
message for the original pre-image message by providing a "fingerprint" of the pre-image. 

In reference to claim 7, Guski and Abadi doe not disclose a system wherein the program- 
password-specific identifier (F(H(E),p)) is used as a key to decrypt another program. 

Schneier discloses the use of a pass phrase (password) that is transformed into a random 
key by a one-way hash function (page 174 paragraph 2) 
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At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use the hash functions as disclosed by Schneier to create the identifier and a 
secure password in the system of Guski. One of ordinary skill in the art would have been 
motivated to do this because hash function prevent the substitution of a different pre-image 
message for the original pre-image message by providing a "fingerprint" of the pre-image. 

Claims 3-5, and 12-13 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Guski and Abadi as applied to claim 1 above, and further in view of Cheng et al. 

In reference to claim 3, Guski and Abadi do not disclose a system wherein a password- 
reading program (26) and the program-specific identifier (H(E)) are provided by means of a 
trusted computing base (TCB), preferably for both the same trusted computing base (TCB). 

Cheng discloses a computer software architecture for distributed systems based on 
Trusted Computing Base program (Introduction page 216 paragraph 2). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use the trusted computing base as in Cheng in the system of Guski. One of 
ordinary skill in the art would have been motivated to do this because TCB provides confidents 
that it enforces correctly a system security policy and satisfies some critical assurance criteria. 

In reference to claim 4, Guski and Abadi do not disclose a system wherein the password 
(p) is received at the password-reading program (26), and, while said password-reading program 
(26) is executed, all I/O devices are locked and other programs are blocked. 
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Cheng discloses key distribution in a system based on TCB. One of the conditions 
required is that A and B believe that the key shared between them is secret shared exclusively 
(Section 4). Locking the I/O and blocking programs when the password is received ensures that 
only the trusted application A and trusted application B have the password. 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use the trusted computing base as in Cheng in the system of Guski. One of 
ordinary skill in the art would have been motivated to do this because TCB provides confidents 
that it enforces correctly a system security policy and satisfies some critical assurance criteria. 

In reference to claims 5 and 12-13, Guski and Abadi do not disclose a system wherein 
the fact that the password-reading program (26) is executed based on the trusted computing base 
(TCB) is indicated via a signal, preferably by illuminating an LED (28), while the password- 
reading program (26) receives the password (p). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to indicate while the password-reading program receives the password in the 
system of Guski. One of ordinary skill in the art would have been motivated to do this because 
indicating will inform the user that a security process is in progress. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Paula W Klimach whose telephone number is (703) 305-8421. 
The examiner can normally be reached on Mon to Thr 9:30 a.m to 5:30 p.m. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (703) 305-4393. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

The 2100 Tech center will move to Carlyle in October 2004. The new telephone number 
for the receptionist is (571) 272-2100. The examiner's new telephone number will be (571) 272- 
3854. 




PWK 

Tuesday, August 31, 2004 



